Security issue - or not? (remote trigger SMC startup)
Hi,
During installation of a few zones on a Sol10U2 system today, I noticed that simply running an nmap scan on a freshly installed and booted zone would cause the SMC to start:
Starting Solaris Management Console server version 2.1.0.
endpoint created: :898
Adding instance of solaris_providerpath
Adding class Solaris_LocalFileSystem
Adding class Solaris_Directory
Adding class Solaris_Mount
Adding class Solaris_UFS
Adding class Solaris_HSFS
Adding class Solaris_UFSMount
Adding class Solaris_HSFSMount
Adding class Solaris_LocalFSResidesOnExtent
Compilation succeeded.
Adding class Solaris_DiskDrive
Adding class Solaris_DiskPartition
Adding class Solaris_MediaPresent
Adding class Solaris_LogicalDisk
Adding class Solaris_PhysicalMedia
Adding class Solaris_Disk
Adding class Solaris_PhysicalPackage
Adding class Solaris_RealizesExtent
Adding class Solaris_RealizesDiskPartition
Adding class Solaris_RealizesDiskDrive
Adding class Solaris_DiskPartitionBasedOnDisk
Adding class Solaris_DiskPartitionBasedOnFDisk
Adding class Solaris_SCSIController
Adding class Solaris_IDEController
Adding class Solaris_MPXIOController
Adding class Solaris_USBSCSIController
Adding class Solaris_GenericController
Adding class Solaris_SCSIInterface
Adding class Solaris_MPXIOInterface
Adding class Solaris_IDEInterface
Adding class Solaris_ExtraCapacityGroup
Adding class Solaris_MPXIOGroup
Adding class Solaris_ControllerLogicalIdentity
Adding class Solaris_MPXIOCtrlrLogicalIdentity
Adding class Solaris_ControllerComponent
Adding class Solaris_MPXIOComponent
Adding class Solaris_StorageLibrary
Compilation succeeded.
Adding class CIM_ManagedElement
Adding class CIM_SettingData
Adding class CIM_Share
Adding class CIM_FileShare
Adding class CIM_NFSShare
Adding class CIM_SharedElement
Adding class CIM_HostedShare
Compilation succeeded.
Adding class Solaris_NFSShare
Adding class Solaris_NFSShareSecurity
Adding class Solaris_NFS
Adding class Solaris_PersistentShare
Adding class Solaris_MountSetting
Adding class Solaris_NFSMountSetting
Adding class Solaris_ShareSetting
Adding class Solaris_NFSShareSetting
Adding class Solaris_ShareService
Adding class Solaris_MountService
Adding class Solaris_NFSMount
Adding class Solaris_NFSShareSecurityModes
Adding class Solaris_NFSShareDefSecurityMode
Adding class Solaris_HostedShare
Adding class Solaris_PersistentShareConfiguration
Adding class Solaris_PersistentShareForSystem
Adding class Solaris_NFSShareEntry
Adding class Solaris_SharedElement
Adding class Solaris_NFSExport
Adding class Solaris_SharedFileSystem
Compilation succeeded.
Adding instance of solaris_providerpath
Adding instance of solaris_providerpath
Adding class Solaris_VMStateDatabase
Adding class Solaris_VMSoftPartition
Adding class Solaris_VMExtent
Adding class Solaris_VMStripe
Adding class Solaris_VMConcat
Adding class Solaris_VMMirror
Adding class Solaris_VMRaid5
Adding class Solaris_VMTrans
Adding class Solaris_VMHotSparePool
Adding class Solaris_VMDiskSet
Adding class Solaris_VMStorageVolume
Adding class Solaris_VMConcatComponent
Adding class Solaris_VMDriveInDiskSet
Adding class Solaris_VMExtentBasedOn
Adding class Solaris_VMSoftPartComponent
Adding class Solaris_VMExtentInDiskSet
Adding class Solaris_VMHostInDiskSet
Adding class Solaris_VMHotSpareInUse
Adding class Solaris_VMHotSpares
Adding class Solaris_VMMirrorSubmirrors
Adding class Solaris_VMRaid5Component
Adding class Solaris_VMStatistics
Adding class Solaris_VMStripeComponent
Adding class Solaris_VMTransLog
Adding class Solaris_VMTransMaster
Adding class Solaris_VMUsesHotSparePool
Adding class Solaris_VMVolumeBasedOn
Adding class Solaris_DiskIOPerformanceMonitor
Compilation succeeded.
Adding instance of solaris_providerpath
Adding class Solaris_ActiveUser
Adding class Solaris_ActiveProject
Adding class Solaris_ProcessStatisticalInformation
Adding class Solaris_UserProcessAggregateStatisticalInformation
Adding class Solaris_ProjectProcessAggregateStatisticalInformation
Adding class Solaris_ProcessStatistics
Adding class Solaris_ActiveUserProcessAggregateStatistics
Adding class Solaris_ActiveProjectProcessAggregateStatistics
Compilation succeeded.
Registration setup: 8/8 (Executing SUNWpmgr_reg.sh)
Registering components: 64/64 (Registering PatchMgrCli.jar) er)
Solaris Management Console server is ready.For interest, the nmap result is:
toby@deepthought ~ $ nmap -v 192.168.1.122
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-08-29 20:39 EDT
DNS resolution of 1 IPs took 0.23s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect() Scan against 192.168.1.122 [1672 ports] at 20:39
The Connect() Scan took 44.49s to scan 1672 total ports.
Host 192.168.1.122 appears to be up ... good.
Interesting ports on 192.168.1.122:
(The 1662 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
79/tcp open finger
111/tcp open rpcbind
513/tcp open login
514/tcp open shell
898/tcp open sun-manageconsole
4045/tcp open lockd
7100/tcp open font-service
Nmap finished: 1 IP address (1 host up) scanned in 44.874 seconds(port 7100 is actually a non-standard VNC server which was carried over from the global zone)
Of course, this is immediately before running Solaris Security Toolkit (jass) to apply a secure profile.
Does it matter that this SMC startup can be triggered so easily remotely?
It just struck me odd that simply port-scanning the
machine could produce this behaviour, and I wonder if
it might be a security issue.Probably not directly. Sun has distributed several items in the past that launch via inetd connections (calendar manager and font server were two common ones). Just because it launches doesn't mean it's a security problem. The application itself may require authentication after running.
Of course the resources required by the process may be non-trivial, and the application may have security issues, but the fact that it launches isn't a direct indication of a problem.
Darren
Similar Messages
-
Security issue to access remote ejbs, URGENT!!! please and thanks.
Hi gurus:
I have questions for you. I need to access remote ejbs. the ejb(beans) have been
deployed on remote machine. I have helper class file to do JNDI lookup to point
the machine and find it.
I have local machine to have all of home interfaces, remote interfaces and stub
classes and common classes. I have local jsp and config weblogic-web.xml to allow
test user to access.
Sometimes fine but got the following message and error from my local machine.
I have no clue about that. Is any other issue that remote machine have security
to limit clients to access beans. Because remote wl server startup as system/weblogic.
If my local machine startup as system/weblogic too. It has no problem at all.
This doesn't make sense for my local machine has to have same system's password
as remote machine. Should have some issues to limit clients to access remote beans.
Thank you for any helps and suggestions in advance.
Steven.
####<Jun 7, 2001 10:34:25 AM CDT> <Error> <HTTP> <stevenzhu> <myserver> <ExecuteThread-14>
<springbow> <> <101020> <[WebAppServletContext(8365803,public_html)] Servlet failed
with Exception>
java.lang.SecurityException: Authentication for user test denied in realm wl_realm
at weblogic.rmi.internal.AbstractOutboundRequest.sendReceive(AbstractOutboundRequest.java:90)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:247)
at weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteRef.java:225)
at weblogic.jndi.internal.ServerNamingNode_WLStub.lookup(ServerNamingNode_WLStub.java:121)
at weblogic.jndi.internal.WLContextImpl.lookup(WLContextImpl.java:323)
at com.sprint.common.util.EJBHelper.getHomeInterface(EJBHelper.java:172)
at com.sprint.common.util.EJBHelper.getOrganizationSLHome(EJBHelper.java:122)
at com.sprint.common.organization.OrganizationBean.getOrganizationHome(OrganizationBean.java:290)
at com.sprint.common.organization.OrganizationBean.getOrganizationRemote(OrganizationBean.java:315)
at com.sprint.common.organization.OrganizationBean.findEmployee(OrganizationBean.java:107)
at jsp_servlet._ehr._vieworganizationalhierarchy._jspService(_vieworganizationalhierarchy.java:173)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:208)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:1127)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:1529)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)well, if we post in other threads, they tell me that it is ARD and server technology. If you try to post back to my mac in the normal threads about Leopard, they point us to this thread.
It seems that a lot of people are frantically looking for someone who can explain in plain english how to do the remote desktop - is remote desktop the same technology as back to my mac?
Extremely frustrating for people like me who don't have unix or programming language experience... We choose for mac because we wanted user friendlyness... What a joke! -
Sandbox Security Issue (MIDI Not Working In Applet)
Hi all,
I'm having problems getting javax.sound.midi to work in a java applet. It works fine when I run the applet from within JGrasp, but when I try to run the applet from an HTML file there is no sound. From what info I've found, it seems like my problem has to do with the sandbox security so the applet is not being able to access the computer's sound card, but I still haven't found a solution or a work around to that problem (after about 2 weeks worth of searching). The world of applet security is all new territory for me.
I am running the html file off of my hard drive and I have my test program's class file in the same directory. I have tried both firefox and internet explorer web browsers (and also did the "allow blocked content" in internet explorer).
I have no other sound sources playing or paused that would interfere with the web browser playing (it works in JGrasp and immediately after closing JGrasp completely it doesn't work in the web browser).
Any help help in getting this figured out would be greatly appreciated. An example of an open source MIDI Java applet that I can pick apart to figure out what I need to make this work would be fantastic. Thanks in advance!
Here are the codes to my test program and HTML file:
PlayMIDI.html
<html>
<body>
<CENTER><applet code="PlayMIDI.class" width="1000" height="500"></applet></CENTER>
</body>
</html>PlayMIDI.java
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import javax.swing.event.*;
import java.net.*;
import javax.sound.midi.*;
public class PlayMIDI extends JApplet
public void init()
MIDITest play = new MIDITest(0);
play.playSong(100);
class MIDITest
private final int C4 = 60; // C4 is the note middle C
private final int MF = Integer.MAX_VALUE / 2; // MF stands for mezzo forte -- medium loud
private int iTimbre; // midi instrument number
private Synthesizer synth; // get the java synthesizer
private MidiChannel [] channels; // get an array of channels. This is the number of notes that can sound simultaneously
// Creates a midi synthisizer using the supplied instrument "patch".
// instrument numbers can vary from 0 to 127
public MIDITest(int instrumentNumber)
iTimbre = instrumentNumber;
try
{ synth = MidiSystem.getSynthesizer(); //synth = MidiSystem.getSynthesizer();
synth.open(); // open the synthesizer
synth.loadAllInstruments(synth.getDefaultSoundbank()); // make all instruments available
channels = synth.getChannels();
channels[0].programChange(0, iTimbre); // set the instrument for the channel 0
catch (Exception e)
{ System.out.println(e);
public void playSong(int tempo)
int quarter = 60000;
int eigth = 30000;
int half = 120000;
int whole = 240000;
int D4 = C4 + 2;
int E4 = C4 + 4;
int G4 = C4 + 7;
int A4 = C4 + 9;
int B4 = C4 + 11;
try
{ channels[0].noteOn(E4, MF); // start the instrument on channel 0 sounding
channels[0].noteOn(B4, MF);
channels[0].noteOn(G4, MF);
channels[0].noteOn(D4, MF);
Thread.sleep(whole / tempo); // sleep causes the program to wait the given number of milliseconds
channels[0].noteOff(E4, MF); // stop the sound on the instrument on channel 0
channels[0].noteOff(B4, MF);
channels[0].noteOff(G4, MF);
channels[0].noteOff(D4, MF);
catch (Exception e)
{ System.out.println(e);
}Hi ejp, thanks for the reply.
I did some searching for applet signing and I found this:
http://www.brendonwilson.com/projects/signed-java/
"+Developers should be warned that signing alone is not enough to enable their Java applets to access resources normally restricted by the Java sandbox. Although signing provides proof of the integrity of the applet and validation of the authors identity through trust-heirarchies, developers must also make use of the browser-dependent APIs to request permission from the user to perform restricted activities.+"
So am I going to have to do ask permission from each browser in order to get access to the sound card for the MIDI to play or will the MIDI work without that?
Also, I found this tutorial on signing applets. Does this look like a good one?
http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
Thanks again,
-tkr -
Samba 3.2.6 patch for security issue
I know the security issue is hard to trigger, but I created a new PKGBUILD for samba 3.2.6 containing the patch.
Excerpt from the patch commentary:
commit 288fa94ac7cfdf7457b5098c33fc840bed3d5410
Author: Michael Adam <[email protected]>
AuthorDate: Thu Dec 18 18:01:55 2008 +0100
Commit: Karolin Seeger <[email protected]>
CommitDate: Fri Dec 19 08:30:23 2008 +0100
smbd: prevent access to root filesystem when connecting with empty service name
This only applies to a setup with "registry shares = yes"
Michael
And here's the PKGBUILD:
# $Id: PKGBUILD 22200 2008-12-22 22:24:26Z tpowa $
# Maintainer: judd <[email protected]>
pkgname=samba
pkgver=3.2.6
# We use the 'A' to fake out pacman's version comparators. Samba chooses
# to append 'a','b',etc to their subsequent releases, which pamcan
# misconstrues as alpha, beta, etc. Bad samba!
_realver=3.2.6
pkgrel=2.1
pkgdesc="Tools to access a server's filespace and printers via SMB"
arch=(i686 x86_64)
url="http://www.samba.org"
license=('GPL3')
backup=(etc/logrotate.d/samba etc/pam.d/samba etc/samba/smb.conf etc/xinetd.d/swat etc/conf.d/samba)
depends=('db>=4.7' 'popt' 'libcups' 'acl' 'libldap' 'smbclient=3.2.6' 'libcap' 'heimdal>=1.2-1' 'pam' 'fam' 'gnutls>=2.4.1' 'tdb=3.2.6')
options=(!makeflags)
source=(http://us1.samba.org/samba/ftp/stable/${pkgname}-${_realver}.tar.gz \
no-clients.patch samba samba.logrotate swat.xinetd samba.pam samba.conf.d \
ftp://us1.samba.org/pub/samba/patches/security/samba-3.2.6-CVE-2009-0022.patch)
build() {
cd ${srcdir}/${pkgname}-${_realver}/source
patch -Np2 -i ${srcdir}/no-clients.patch || return 1
patch -Np2 -i ${srcdir}/samba-3.2.6-CVE-2009-0022.patch || return 1
./configure --prefix=/usr --with-configdir=/etc/samba \
--with-lockdir=/var/cache/samba \
--with-piddir=/var/run/samba \
--with-fhs --with-pam --with-ads --with-acl-support \
--without-cifsmount --without-libsmbclient \
--with-syslog --with-pam_smbpass \
--localstatedir=/var --disable-dnssd --libdir=/usr/lib/samba
make || return 1
mkdir -p ${pkgdir}/var/log/samba
mkdir -p ${pkgdir}/etc/samba/private
chmod 700 ${pkgdir}/etc/samba/private
make DESTDIR=$startdir/pkg install
chmod 644 ${pkgdir}/usr/include/*.h
rm -rf ${pkgdir}/usr/var
(cd script; cp installbin.sh i; cat i | sed 's/\/sbin\///' > installbin.sh)
install -D -m755 ../../samba ${pkgdir}/etc/rc.d/samba
install -D -m644 ../../samba.conf.d ${pkgdir}/etc/conf.d/samba
mkdir -p ${pkgdir}/etc/samba
cat ../examples/smb.conf.default | \
sed 's|log file = .*$|log file = /var/log/samba/log.%m|g' >${pkgdir}/etc/samba/smb.conf.default
install -D -m644 ../../samba.logrotate ${pkgdir}/etc/logrotate.d/samba
install -D -m644 ../../swat.xinetd ${pkgdir}/etc/xinetd.d/swat
install -D -m644 ../../samba.pam ${pkgdir}/etc/pam.d/samba
# symlink libs
for i in ${pkgdir}/usr/lib/samba/libsmbshare*; do
ln -sf samba/$(basename $i) ${pkgdir}/usr/lib/$(basename $i)
done
# spool directory
install -d -m1777 ${pkgdir}/var/spool/samba
sed -i 's|/usr/spool/samba|/var/spool/samba|g' ${pkgdir}/etc/samba/smb.conf.default
# fix logrotate
sed -i -e 's|log.%m|%m.log|g' ${pkgdir}/etc/samba/smb.conf.default
# nsswitch libraries
install -D -m755 nsswitch/libnss_wins.so ${pkgdir}/lib/libnss_wins.so
ln -s libnss_wins.so ${pkgdir}/lib/libnss_wins.so.2
install -D -m755 nsswitch/libnss_winbind.so ${pkgdir}/lib/libnss_winbind.so
install -D -m755 bin/pam_winbind.so ${pkgdir}/lib/security/pam_winbind.so
# remove conflict files of smbclient and tdb
for man in libsmbclient smbspool \
umount.cifs mount.cifs net; do
rm -f ${pkgdir}/usr/share/man/man8/${man}.8
done
for i in libnetapi* libtdb* libtalloc* libwbclient*; do
rm -f ${pkgdir}/usr/lib/samba/$i
done
rm -f ${pkgdir}/usr/bin/tdbbackup
rm -f ${pkgdir}/usr/include/{tdb.h,talloc.h,netapi.h}
for man in rpcclient smbcacls smbclient smbcquotas \
smbtree smbtar nmblookup smbget; do
rm -f ${pkgdir}/usr/share/man/man1/${man}.1
done
rm -f ${pkgdir}/usr/share/man/man7/libsmbclient.7
rm -f ${pkgdir}/usr/include/libsmbclient.h
md5sums=('0cd27c7afbb8211616eea4010f32271c'
'a676f0dde2c434aeb5125376b8797a64'
'e93533fa2296c07c1f645dfdd373657f'
'5697da77590ec092cc8a883bae06093c'
'a4bbfa39fee95bba2e7ad6b535fae7e6'
'96f82c38f3f540b53f3e5144900acf17'
'f2f2e348acd1ccb566e95fa8a561b828'
'e15ab37115101cf3a8d110f0c1f8e29e')
I think a security task force should be initiated (I know discussions existed, but I don't know what were the consequences), so that important packages (like those providing services) could be updated in a timely manner. This is a minor issue as I stated earlier, but it could be worse. Those interested, let's initiate a discussion with the developers of important packages and try to get some things working. People (mostly trusted users) who can generate early packages are welcome, so that they can provide early versions of unvulnerable packages.ckristi wrote:I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.
Why don't you start a wiki page tracking the latest vulnerabilities disclosed on various security mailing lists which are not fixed in arch. This will make it much easier for the devs.
This thing has been already discussed multiple times and already a wiki page exists for Arch Security Team but it seems nobody followed up with that.
http://wiki.archlinux.org/index.php/Security_Task_Force -
I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCMHi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM -
Hello,
Can I create a pdf that doesn't trigger Acrobat's JavaScript is currently disabled and this document uses it for some features. Enabling JavaScript can lead to potential security issues.
I even get this error when I create a blank pdf.
I'm not using any JavaScript in the form and the nature of the message might tend to be a bit scary to some people since it mentions enabling JS can lead to potential security issues. I basically want to disable the messaging of a feature I'm not even using.
Anyone know if this is possible and if so, how I go about it?
Thank you.Hi,
I too share your frustration!!
Unfortunately I do not have a complete answer for you.
From the start I must say that Stefan Cameron has been very helpful (http://forms.stefcameron.com/2010/01/14/acrobatreader-9-3-now-available/), however I have not had sufficient time available to deal with the issue (or find a satisfactory resolution).
The original post that Srini shared with you related to an XFA form that had FormCalc and Javascript in it. I will now share with you another situation that is closer to your experiences.
Sometimes where we have a complex solution/form, we often give our users a PDF with instructions and demonstrations. We generate these using Adobe products:
LiveCycle Designer ES to generate the solution/form;
Captivate to record the demonstration (.swf);
Acrobat to package it up in a static PDF.
The screen shots below are from a PDF that includes written instructions and six Flash (.swf) files. The PDF does NOT include fields/form objects and does NOT include any FormCalc or Javascript.
One of the big sells in Acrobat 9 was that Adobe had fully integrated Flash (Adobe product, ex. Macromedia) into Acrobat 9. This mean that .swf files could run natively inside a PDF. Brilliant!!! The website today is still pushing this message, for example:
Now bear in mind that the following screenshots are from a PDF that does not contain any scripting - its sole purpose is to "inform" the user, "look as good as the work I put into it", incorporate instruction and "multimedia" in a "single polished file" and I should be "confident that my audience will be able to view my work exactly as intended".
Not so!!
When the user now opens the form, all looks OK. No warning. They can read the instructions and scroll down to the multimedia (.swf files).
However when the user clicks on the multimedia, the yellow bar appears:
I go through the "trust" process:
And the PDF looks like it is OK, no yellow bar. When I click on the multimedia, it begins to play - yes!! BUT ONLY FOR A SECOND OR TWO AND THEN IT STOPS AND GOES BACK TO THE START - AGGGGHHHHHHH!!!!!. I would apologise for shouting, but this is beyond frustration. The work in capturing six screencasts in Captivate, annotating them, publishing to .swf and packaging up in Acrobat has been a complete waste of time. Worse than that I now have several PDFs out there, that do not work. Good advertisement for my business? I don't think so!!
The document that Stefan provided (Managing JavaScript Execution in the Acrobat Family of Products) does not mention Flash/.swf as being a problem. However I would recommend that you go through this document, as it may help you.
So, where to now? I don't know. The previous posts and Stefan's responses have several urls that may help. You should maybe consider logging your experiences as a bug (log at Adobe).
In the meantime good luck,
Niall
UPDATE:
This behaviour (.swf playing for only a few seconds) happens in PDFs where the .swf is inserted as legacy media to run in earlier versions of Acrobat/Reader. In this case Acrobat/Reader is making an external call to Flash Player. Hence the yellow bar. However it does not explain why the Flash video still does not play when trusted.
If the .swf is added into the PDF as Flash media to run on Acrobat 9 and above, then it works without displaying the yellow warning bar.
So maybe any feature of your PDF that calls an external resource is likely to show the yellow warning bar. -
Remote Management Multi-User security issue
Hello,
This issue concerns both Mountain Lion and Lion servers. If I'm not mistaken, the issue is also officially described by Apple in the Lion release about Remote Managemenr vs Screen Sharing features.
My question is simple and yet unanswered after hundreds of Internet searches:
Why on earth a non-Admin user has the right to Share and Control the screen of another (Admin) user being logged-in a (Mountain) Lion server? It looks like the trick is that "Remote Management" instead of "Screen Sharing" is active. So what? Why a non-Admin should be allowed at all to view another users desktop just by typing-in his/her own credentials?
Am I missing something or is Apple really out-of-security context? Our admin devoted significant effort to arrange access for the shared directories. For what? To find out that the Screen Sharing security under ARD Management (Remote Management) is non-existent?
Am I terribly wrong?
Any feedback will be highly appreciated.
D.http://www.apple.com/feedback/
-
Can not view slidshows or creat a book on Snapfish. SF IT folks say it's a security issue on my end. Any ideas?
You will need to contact Snapfish to find out their system requirements and which plugin you need
- http://support.snapfish.com/app/answers/detail/a_id/669/brand/3 -
I updated automatically some security issues in my computer (I don't remember which) and now my gmail will start opening until it reaches 75% and it will not go on opening.
I can open it Internet explorer but not in Mozila fireworksClear the cache and the cookies from sites that cause problems.
"Clear the Cache":
*Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
*Tools > Options > Privacy > Cookies: "Show Cookies"
Start Firefox in <u>[[Safe Mode|Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
*Don't make any changes on the Safe mode start window.
*https://support.mozilla.org/kb/Safe+Mode
*https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes -
I need to update iOS 6.1.3 on my iPad2 to 6.1.6, due to security issue. Why is no update available? I do NOT want to install iOS 7, due to memory limitations.
Any upgrade will be to the most recent, compatible version, in this case 7.0.6.
-
Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
Some have no problem accessing the lesson plans.
Most when they login click on a lesson plan and an icon shows up that says loading but never does.
If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
Think Central support says this is a security issue with Firefox.
I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
I have allowed the pop ups to the think Central web site.
Any help would be appreciatedAre there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand. -
Hi All,
I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
"User does not have the access right to perform this journal task"
The options I have thought for a workaround are as follows:
1. 1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
2. 2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
they are:
1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
2. 2. A data reviewer (who approves journals)
The process is as follows:
1. 1. Logon as Data inputter to submit the journals
2. 2. Logon as Data reviewer to approve the journals
3. 3. Logon as Data inputter to post the Journals
We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
but once it comes back to step 3, we get an error as follows:
"User does not have the access right to perform this journal task"
(This error comes about when the access control on custom 4 is set to None, Read, Promote)
Custom 4 Access Rights looks as follows:
C4_ADJ01
C4_ADJ02
C4_ADJ03
C4_ADJ04
HFMDefault
Read
Read
Read
Read
HFMLoad
All
Promote
None
Read
HFMReview
Read
All
All
All
When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
Roles for the groups that users assigned look like the following:
Test User Name
Test User Name
Access Rights
1
Base Data input/Journal Data input
test_HFMLoad
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Enable write back in Web Grid
Load Excel Data
Generate Recurring
Post Journals
Create Unbalanced Journals
Manage Templates
Data Form Write Back from Excel
Consolidate
2
Data Reviewer
test_HFMReview
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Approve Journals
Consolidate
Reviewer 2
Generate Recurring
Manage Templates
Create Unbalanced Journals
Any help or advice would be much appreciated.
Thanks in advance,
M.Hi All,
I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
"User does not have the access right to perform this journal task"
The options I have thought for a workaround are as follows:
1. 1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
2. 2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
they are:
1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
2. 2. A data reviewer (who approves journals)
The process is as follows:
1. 1. Logon as Data inputter to submit the journals
2. 2. Logon as Data reviewer to approve the journals
3. 3. Logon as Data inputter to post the Journals
We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
but once it comes back to step 3, we get an error as follows:
"User does not have the access right to perform this journal task"
(This error comes about when the access control on custom 4 is set to None, Read, Promote)
Custom 4 Access Rights looks as follows:
C4_ADJ01
C4_ADJ02
C4_ADJ03
C4_ADJ04
HFMDefault
Read
Read
Read
Read
HFMLoad
All
Promote
None
Read
HFMReview
Read
All
All
All
When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
Roles for the groups that users assigned look like the following:
Test User Name
Test User Name
Access Rights
1
Base Data input/Journal Data input
test_HFMLoad
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Enable write back in Web Grid
Load Excel Data
Generate Recurring
Post Journals
Create Unbalanced Journals
Manage Templates
Data Form Write Back from Excel
Consolidate
2
Data Reviewer
test_HFMReview
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Approve Journals
Consolidate
Reviewer 2
Generate Recurring
Manage Templates
Create Unbalanced Journals
Any help or advice would be much appreciated.
Thanks in advance,
M. -
Hello,
I have a sharepoint 2010 sp1 CU Dec 2011 server with a SQL Server 2012 SP1 CU4 reporting services instance. I am able to open Power View and use it normally when bypassing the ISA Reverse Proxy server. However when going thru ISA I receive the
following Error.
Power View Cannot connect to the server due to a security issue. The server may not have been able to match the host for Silverlight. This error appears after I click yes on an Internet Explorer Display Mixed Mode prompt.
I've seen a couple references to this issue but not much. This one mentions a clientaccesspolicy.xml file but I haven't had any luck with that. http://connect.microsoft.com/SQLServer/feedback/details/716433/cannot-connect-to-the-server-due-to-a-security-issue-the-server-may-not-have-been-able-to-match-the-host-for-silverlight
Any Ideas? Thanks.
RyanHi Ryan,
Based on my research, the issue should occur due to a by design behavior in Threat Management Gateway (TMG). To work around this issue, you can use SSL between the TMG and the SharePoint Web Server.
Hope this helps.
Regards,
Mike Yin
TechNet Community Support -
Windows 8 Remote Desktop Error "The Requested Security Package Does Not Exist"
When my remote host (win server 2008 R2) is configured to use SSL for security layer, RDP from my Windows 8 gets
"An authentication error has occurred. The requested security package does not exit."
When the host is set to use RDP security layer, it works fine.
Registry key solution for Win7 suggested on other posts does not seem to apply to win8.
This is a Lenovo desktop, I uninstalled silverlight and bunch of other OEM installed programs.This fixed my problem in Windows 8 while connecting to a Windows 7 host. I needed the pku2u entry. I decided to look it up and here's the info for anyone that's interested.
Introducing PKU2U in Windows
Applies To: Windows 7, Windows Server 2008 R2
This product evaluation topic for the IT professional describes the Public Key Cryptography Based User-to-User (PKU2U) security support provider (SSP) that is new in Windows 7 and Windows Server 2008 R2.
PKU2U protocol
The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as an SSP. The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing
between computers that are not members of a domain.
How PKU2U works
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate,
Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. You can also develop or add other SSPs.
When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When
validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes.
For more information about developing SSPs, see
Custom Security Packages in the MSDN Library.
For more information about the Negotiate extensions (Negoexts), see
Introducing Extensions to the Negotiate Authentication Package. -
My company will not allow us to download iOS 7 due to software / security issues on our end. The problem is I need to download numbers but it says I need iOS 7. Is there any way to get an earlier update of numbers that's doesn't require ios7?
Thank you so much! It's updating now. I'm hoping that once the update is finished that it will sync like normal as well. Of course I'm still a bit confused/concerned about how it refused to update on it's own, but for now that's not a problem. Hopefully from now on there won't be any more problems.
Maybe you are looking for
-
What are the standard bex analyzer reports available?
hi all what are all the std reports available for fico? sd and mm? thanxs in advance regds hari
-
How to remove "Quantity pending" message in J1IFR?
Hi experts, I have a problem with the report for 57f4 challans-J1IFR. In this report it shows "Quantity pending" even when I have reconciled & completed a particular challan. What does this mean?. I have seen the standard Annexure IV, but nowhere thi
-
Having problem with primary sever will not connect, my internet connection is working
Having problem with primary sever will not connect, my internet connection is working
-
l am using Iphone 4, l still did not receive update to version 8.02 and when l receive or call somebody the person in the other end can't hear me while sometimes its working perfectly normal. Help guyz any ideas
-
Early 2009 17" MBP doesn't see new SuperTalent SSD
Just installed the SuperTalent MasterDrive RX 512 GB SSD in my early 2009 MBP 17". I was originally worried about the drive fitting in the machine since it is 12.mm tall, but that was not a problem. It fits snugly but it does fit. My problem is that